You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by sh...@accenture.com on 2012/05/23 00:15:10 UTC
How can I eliminate these embedded username and password entries?
Caveat: I'm the SysAdmin in charge of our Artifactory server (to which I'm new), and not a developer, so my Maven knowledge is somewhat limited. I'm a fast learner though. :)
Our developers have embedded the artifactory username and password in their POM files, and I very much wish to not have them do that. If it matters, they are using Maven 2.2.1. Here is the relevant, sanitized, portions of their POM files:
<properties>
<artifactory-url>http://my.artifactory.server:8081/artifactory</artifactory-url>
<artifactory-usr>a_username</artifactory-usr>
<artifactory-pwd>a_password</artifactory-pwd>
</properties>
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
<id>metrics-for-eclipse</id>
<phase>generate-resources</phase>
<configuration>
<target>
<taskdef resource="net/sf/antcontrib/antlib.xml" />
<if>
<equals arg1="${maven.fetch.filters}" arg2="true" />
<then>
<get
src="${artifactory-url}/libs-release-local/path/to/findbugs-filter.xml"
dest="${maven.repo.local}\path\to\findbugs-filter.xml"
usetimestamp="true"
ignoreerrors="true"
username="${artifactory-usr}"
password="${artifactory-pwd}"/>
<get
src="${artifactory-url}/libs-release-local/path/to/checkstyle.xml"
dest="${maven.repo.local}\path\to\checkstyle.xml"
usetimestamp="true"
ignoreerrors="true"
username="${artifactory-usr}"
password="${artifactory-pwd}"/>
<get src="${artifactory-url}/libs-release-local/path/to/pmd-ruleset.xml"
dest="${maven.repo.local}\path\to\pmd-ruleset.xml"
usetimestamp="true"
ignoreerrors="true"
username="${artifactory-usr}"
password="${artifactory-pwd}"/>
</then>
<else>
<echo>Using local machine's already available Eclipse filters. Run with -Dmaven.fetch.filters=true if they are needed.</echo>
</else>
</if>
</target>
</configuration>
<goals>
<goal>run</goal>
</goals>
</execution>
</executions>
</plugin>
Is there some other way of retrieving these resources from my artifactory server that doesn't require embedding the login information in their POM files?
Thank you, in advance, for any guidance you might offer.
-ste
________________________________
Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: How can I eliminate these embedded username and password entries?
Posted by Ron Wheeler <rw...@artifact-software.com>.
http://www.aspheute.com/english/20040105.asp
might be helpful.
I have only scanned it quickly but it seemed to have some good ideas
about how to handle database passwords securely.
Ron
On 24/05/2012 12:07 PM, Will Hoover wrote:
> It's difficult to manage these type of configurations. As far as a
> self-contained application is concerned, we typically use the POM as the
> central source for the configuration of the application. This means that any
> datasources etc. get fed their properties via a Maven filter. So a password
> (like the one to connect to an internal DB) is filtered and added to our
> application's resources. The POM and relevant configuration files contain
> the passwords in clear text within the application build. There doesn't seem
> to be an elegant solution for this...
>
> Even if we manage to ask the user for a private password to an internal DB,
> we typically want to store that hashed password somewhere. We can't put the
> hashed password in the DB for which it's for or we will never be able to
> connect to retrieve it. So, we usually use java.util.prefs.Preferences to
> store the hashed password... That introduces maintenance overhead because
> that still requires us to programmatically update the configuration every
> time the application starts because it's still using the configuration that
> is within the build (i.e. other non-application dependencies that require
> the configuration file(s)).
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Thursday, May 24, 2012 10:22 AM
> To: users@maven.apache.org
> Subject: Re: How can I eliminate these embedded username and password
> entries?
>
> We have done a lot of single sign-on implementations over the years.
>
> Mostly around getting access to remote servers to launch instructional
> content from an LMS or getting transparently logged into remote LMS portals.
>
> There are lots of "standard" ways to do this which is almost as bad as
> not having standards.
>
> A little off topic for the Maven list.
> Ron
>
> On 24/05/2012 8:23 AM, Will Hoover wrote:
>> Yeah, the last option where we have the user provide a password is where
>> we're currently headed. Thanks for your input!
>>
>> -----Original Message-----
>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>> Sent: Wednesday, May 23, 2012 2:21 PM
>> To: users@maven.apache.org
>> Subject: Re: How can I eliminate these embedded username and password
>> entries?
>>
>> I used invisible ink.
>>
>> You are right that the passwords are in clear text in the JNDI but they
>> are in a place where they are not supposed to be visible to anyone
>> except the system administrator.
>>
>> For desktop applications, you can embed the passwords in the code and
>> hope that the customers do not reverse engineer or you can provide a
>> service that the desktop client can call to get a password from your
>> server to use to unlock the database on their workstation.
>>
>> If your installation procedure can get a password from the user and use
>> that for the database, then you are at least giving the user a private
>> password that will not be any good on another client's database.
>>
>> It all depends on what use case you are trying to handle.
>>
>> Ron
>>
>> On 23/05/2012 12:18 PM, Will Hoover wrote:
>>> Was there a reply in there that I'm overlooking?
>>>
>>> -----Original Message-----
>>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>>> Sent: Wednesday, May 23, 2012 11:50 AM
>>> To: users@maven.apache.org
>>> Subject: Re: How can I eliminate these embedded username and password
>>> entries?
>>>
>>> On 23/05/2012 10:33 AM, Will Hoover wrote:
>>>> Great posts! Thank you! My only concern with the proposed solutions are
>>> the
>>>> following:
>>>>
>>>> 1) Remote resources, scripts, etc. are great for internal network
>>>> deployments (or "ships") such as web applications, but what about
> desktop
>>> or
>>>> mobile applications that are self contained?
>>>> 2) Even with JNDI and other solutions... at some point the passwords
>> still
>>>> reside in clear-text format, right?
>>>>
>>>> BTW, I agree that this should be outside the scope of Maven
>>>> responsibilities. I'm just looking for input from other Maveneers and
>> what
>>>> measures they have taken to tackle this issue :)
>>>>
>>>> -----Original Message-----
>>>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>>>> Sent: Wednesday, May 23, 2012 9:54 AM
>>>> To: users@maven.apache.org
>>>> Subject: Re: How can I eliminate these embedded username and password
>>>> entries?
>>>>
>>>> This has come up so often I wrote some blogs on it.
>>>>
>>>> http://blog.artifact-software.com/tech/?tag=jndi
>>>>
>>>> On 23/05/2012 9:05 AM, Barrie Treloar wrote:
>>>>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
>>>> wrote:
>>>>>> This is an interesting topic of interest. We would like to do a
> similar
>>>> thing with our DB passwords that are in our POMs. Are there any other
>>>> options other than the ones described?
>>>>> Search the archives.
>>>>> External Resources used at Runtime (rather than build time) are either
>>>>> stored in JNDI or in property files which are loaded on the classpath.
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>>>>> For additional commands, e-mail: users-help@maven.apache.org
>>>>>
>>>>>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password entries?
Posted by Will Hoover <ja...@gmail.com>.
It's difficult to manage these type of configurations. As far as a
self-contained application is concerned, we typically use the POM as the
central source for the configuration of the application. This means that any
datasources etc. get fed their properties via a Maven filter. So a password
(like the one to connect to an internal DB) is filtered and added to our
application's resources. The POM and relevant configuration files contain
the passwords in clear text within the application build. There doesn't seem
to be an elegant solution for this...
Even if we manage to ask the user for a private password to an internal DB,
we typically want to store that hashed password somewhere. We can't put the
hashed password in the DB for which it's for or we will never be able to
connect to retrieve it. So, we usually use java.util.prefs.Preferences to
store the hashed password... That introduces maintenance overhead because
that still requires us to programmatically update the configuration every
time the application starts because it's still using the configuration that
is within the build (i.e. other non-application dependencies that require
the configuration file(s)).
-----Original Message-----
From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
Sent: Thursday, May 24, 2012 10:22 AM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?
We have done a lot of single sign-on implementations over the years.
Mostly around getting access to remote servers to launch instructional
content from an LMS or getting transparently logged into remote LMS portals.
There are lots of "standard" ways to do this which is almost as bad as
not having standards.
A little off topic for the Maven list.
Ron
On 24/05/2012 8:23 AM, Will Hoover wrote:
> Yeah, the last option where we have the user provide a password is where
> we're currently headed. Thanks for your input!
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Wednesday, May 23, 2012 2:21 PM
> To: users@maven.apache.org
> Subject: Re: How can I eliminate these embedded username and password
> entries?
>
> I used invisible ink.
>
> You are right that the passwords are in clear text in the JNDI but they
> are in a place where they are not supposed to be visible to anyone
> except the system administrator.
>
> For desktop applications, you can embed the passwords in the code and
> hope that the customers do not reverse engineer or you can provide a
> service that the desktop client can call to get a password from your
> server to use to unlock the database on their workstation.
>
> If your installation procedure can get a password from the user and use
> that for the database, then you are at least giving the user a private
> password that will not be any good on another client's database.
>
> It all depends on what use case you are trying to handle.
>
> Ron
>
> On 23/05/2012 12:18 PM, Will Hoover wrote:
>> Was there a reply in there that I'm overlooking?
>>
>> -----Original Message-----
>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>> Sent: Wednesday, May 23, 2012 11:50 AM
>> To: users@maven.apache.org
>> Subject: Re: How can I eliminate these embedded username and password
>> entries?
>>
>> On 23/05/2012 10:33 AM, Will Hoover wrote:
>>> Great posts! Thank you! My only concern with the proposed solutions are
>> the
>>> following:
>>>
>>> 1) Remote resources, scripts, etc. are great for internal network
>>> deployments (or "ships") such as web applications, but what about
desktop
>> or
>>> mobile applications that are self contained?
>>> 2) Even with JNDI and other solutions... at some point the passwords
> still
>>> reside in clear-text format, right?
>>>
>>> BTW, I agree that this should be outside the scope of Maven
>>> responsibilities. I'm just looking for input from other Maveneers and
> what
>>> measures they have taken to tackle this issue :)
>>>
>>> -----Original Message-----
>>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>>> Sent: Wednesday, May 23, 2012 9:54 AM
>>> To: users@maven.apache.org
>>> Subject: Re: How can I eliminate these embedded username and password
>>> entries?
>>>
>>> This has come up so often I wrote some blogs on it.
>>>
>>> http://blog.artifact-software.com/tech/?tag=jndi
>>>
>>> On 23/05/2012 9:05 AM, Barrie Treloar wrote:
>>>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
>>> wrote:
>>>>> This is an interesting topic of interest. We would like to do a
similar
>>> thing with our DB passwords that are in our POMs. Are there any other
>>> options other than the ones described?
>>>> Search the archives.
>>>> External Resources used at Runtime (rather than build time) are either
>>>> stored in JNDI or in property files which are loaded on the classpath.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>>>> For additional commands, e-mail: users-help@maven.apache.org
>>>>
>>>>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Ron Wheeler <rw...@artifact-software.com>.
We have done a lot of single sign-on implementations over the years.
Mostly around getting access to remote servers to launch instructional
content from an LMS or getting transparently logged into remote LMS portals.
There are lots of "standard" ways to do this which is almost as bad as
not having standards.
A little off topic for the Maven list.
Ron
On 24/05/2012 8:23 AM, Will Hoover wrote:
> Yeah, the last option where we have the user provide a password is where
> we're currently headed. Thanks for your input!
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Wednesday, May 23, 2012 2:21 PM
> To: users@maven.apache.org
> Subject: Re: How can I eliminate these embedded username and password
> entries?
>
> I used invisible ink.
>
> You are right that the passwords are in clear text in the JNDI but they
> are in a place where they are not supposed to be visible to anyone
> except the system administrator.
>
> For desktop applications, you can embed the passwords in the code and
> hope that the customers do not reverse engineer or you can provide a
> service that the desktop client can call to get a password from your
> server to use to unlock the database on their workstation.
>
> If your installation procedure can get a password from the user and use
> that for the database, then you are at least giving the user a private
> password that will not be any good on another client's database.
>
> It all depends on what use case you are trying to handle.
>
> Ron
>
> On 23/05/2012 12:18 PM, Will Hoover wrote:
>> Was there a reply in there that I'm overlooking?
>>
>> -----Original Message-----
>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>> Sent: Wednesday, May 23, 2012 11:50 AM
>> To: users@maven.apache.org
>> Subject: Re: How can I eliminate these embedded username and password
>> entries?
>>
>> On 23/05/2012 10:33 AM, Will Hoover wrote:
>>> Great posts! Thank you! My only concern with the proposed solutions are
>> the
>>> following:
>>>
>>> 1) Remote resources, scripts, etc. are great for internal network
>>> deployments (or "ships") such as web applications, but what about desktop
>> or
>>> mobile applications that are self contained?
>>> 2) Even with JNDI and other solutions... at some point the passwords
> still
>>> reside in clear-text format, right?
>>>
>>> BTW, I agree that this should be outside the scope of Maven
>>> responsibilities. I'm just looking for input from other Maveneers and
> what
>>> measures they have taken to tackle this issue :)
>>>
>>> -----Original Message-----
>>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>>> Sent: Wednesday, May 23, 2012 9:54 AM
>>> To: users@maven.apache.org
>>> Subject: Re: How can I eliminate these embedded username and password
>>> entries?
>>>
>>> This has come up so often I wrote some blogs on it.
>>>
>>> http://blog.artifact-software.com/tech/?tag=jndi
>>>
>>> On 23/05/2012 9:05 AM, Barrie Treloar wrote:
>>>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
>>> wrote:
>>>>> This is an interesting topic of interest. We would like to do a similar
>>> thing with our DB passwords that are in our POMs. Are there any other
>>> options other than the ones described?
>>>> Search the archives.
>>>> External Resources used at Runtime (rather than build time) are either
>>>> stored in JNDI or in property files which are loaded on the classpath.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>>>> For additional commands, e-mail: users-help@maven.apache.org
>>>>
>>>>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password entries?
Posted by Will Hoover <ja...@gmail.com>.
Yeah, the last option where we have the user provide a password is where
we're currently headed. Thanks for your input!
-----Original Message-----
From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
Sent: Wednesday, May 23, 2012 2:21 PM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?
I used invisible ink.
You are right that the passwords are in clear text in the JNDI but they
are in a place where they are not supposed to be visible to anyone
except the system administrator.
For desktop applications, you can embed the passwords in the code and
hope that the customers do not reverse engineer or you can provide a
service that the desktop client can call to get a password from your
server to use to unlock the database on their workstation.
If your installation procedure can get a password from the user and use
that for the database, then you are at least giving the user a private
password that will not be any good on another client's database.
It all depends on what use case you are trying to handle.
Ron
On 23/05/2012 12:18 PM, Will Hoover wrote:
> Was there a reply in there that I'm overlooking?
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Wednesday, May 23, 2012 11:50 AM
> To: users@maven.apache.org
> Subject: Re: How can I eliminate these embedded username and password
> entries?
>
> On 23/05/2012 10:33 AM, Will Hoover wrote:
>> Great posts! Thank you! My only concern with the proposed solutions are
> the
>> following:
>>
>> 1) Remote resources, scripts, etc. are great for internal network
>> deployments (or "ships") such as web applications, but what about desktop
> or
>> mobile applications that are self contained?
>> 2) Even with JNDI and other solutions... at some point the passwords
still
>> reside in clear-text format, right?
>>
>> BTW, I agree that this should be outside the scope of Maven
>> responsibilities. I'm just looking for input from other Maveneers and
what
>> measures they have taken to tackle this issue :)
>>
>> -----Original Message-----
>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>> Sent: Wednesday, May 23, 2012 9:54 AM
>> To: users@maven.apache.org
>> Subject: Re: How can I eliminate these embedded username and password
>> entries?
>>
>> This has come up so often I wrote some blogs on it.
>>
>> http://blog.artifact-software.com/tech/?tag=jndi
>>
>> On 23/05/2012 9:05 AM, Barrie Treloar wrote:
>>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
>> wrote:
>>>> This is an interesting topic of interest. We would like to do a similar
>> thing with our DB passwords that are in our POMs. Are there any other
>> options other than the ones described?
>>> Search the archives.
>>> External Resources used at Runtime (rather than build time) are either
>>> stored in JNDI or in property files which are loaded on the classpath.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>>> For additional commands, e-mail: users-help@maven.apache.org
>>>
>>>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Ron Wheeler <rw...@artifact-software.com>.
I used invisible ink.
You are right that the passwords are in clear text in the JNDI but they
are in a place where they are not supposed to be visible to anyone
except the system administrator.
For desktop applications, you can embed the passwords in the code and
hope that the customers do not reverse engineer or you can provide a
service that the desktop client can call to get a password from your
server to use to unlock the database on their workstation.
If your installation procedure can get a password from the user and use
that for the database, then you are at least giving the user a private
password that will not be any good on another client's database.
It all depends on what use case you are trying to handle.
Ron
On 23/05/2012 12:18 PM, Will Hoover wrote:
> Was there a reply in there that I'm overlooking?
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Wednesday, May 23, 2012 11:50 AM
> To: users@maven.apache.org
> Subject: Re: How can I eliminate these embedded username and password
> entries?
>
> On 23/05/2012 10:33 AM, Will Hoover wrote:
>> Great posts! Thank you! My only concern with the proposed solutions are
> the
>> following:
>>
>> 1) Remote resources, scripts, etc. are great for internal network
>> deployments (or "ships") such as web applications, but what about desktop
> or
>> mobile applications that are self contained?
>> 2) Even with JNDI and other solutions... at some point the passwords still
>> reside in clear-text format, right?
>>
>> BTW, I agree that this should be outside the scope of Maven
>> responsibilities. I'm just looking for input from other Maveneers and what
>> measures they have taken to tackle this issue :)
>>
>> -----Original Message-----
>> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
>> Sent: Wednesday, May 23, 2012 9:54 AM
>> To: users@maven.apache.org
>> Subject: Re: How can I eliminate these embedded username and password
>> entries?
>>
>> This has come up so often I wrote some blogs on it.
>>
>> http://blog.artifact-software.com/tech/?tag=jndi
>>
>> On 23/05/2012 9:05 AM, Barrie Treloar wrote:
>>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
>> wrote:
>>>> This is an interesting topic of interest. We would like to do a similar
>> thing with our DB passwords that are in our POMs. Are there any other
>> options other than the ones described?
>>> Search the archives.
>>> External Resources used at Runtime (rather than build time) are either
>>> stored in JNDI or in property files which are loaded on the classpath.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>>> For additional commands, e-mail: users-help@maven.apache.org
>>>
>>>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password entries?
Posted by Will Hoover <ja...@gmail.com>.
Was there a reply in there that I'm overlooking?
-----Original Message-----
From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
Sent: Wednesday, May 23, 2012 11:50 AM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?
On 23/05/2012 10:33 AM, Will Hoover wrote:
> Great posts! Thank you! My only concern with the proposed solutions are
the
> following:
>
> 1) Remote resources, scripts, etc. are great for internal network
> deployments (or "ships") such as web applications, but what about desktop
or
> mobile applications that are self contained?
> 2) Even with JNDI and other solutions... at some point the passwords still
> reside in clear-text format, right?
>
> BTW, I agree that this should be outside the scope of Maven
> responsibilities. I'm just looking for input from other Maveneers and what
> measures they have taken to tackle this issue :)
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Wednesday, May 23, 2012 9:54 AM
> To: users@maven.apache.org
> Subject: Re: How can I eliminate these embedded username and password
> entries?
>
> This has come up so often I wrote some blogs on it.
>
> http://blog.artifact-software.com/tech/?tag=jndi
>
> On 23/05/2012 9:05 AM, Barrie Treloar wrote:
>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
> wrote:
>>> This is an interesting topic of interest. We would like to do a similar
> thing with our DB passwords that are in our POMs. Are there any other
> options other than the ones described?
>> Search the archives.
>> External Resources used at Runtime (rather than build time) are either
>> stored in JNDI or in property files which are loaded on the classpath.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>>
>>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Ron Wheeler <rw...@artifact-software.com>.
On 23/05/2012 10:33 AM, Will Hoover wrote:
> Great posts! Thank you! My only concern with the proposed solutions are the
> following:
>
> 1) Remote resources, scripts, etc. are great for internal network
> deployments (or "ships") such as web applications, but what about desktop or
> mobile applications that are self contained?
> 2) Even with JNDI and other solutions... at some point the passwords still
> reside in clear-text format, right?
>
> BTW, I agree that this should be outside the scope of Maven
> responsibilities. I'm just looking for input from other Maveneers and what
> measures they have taken to tackle this issue :)
>
> -----Original Message-----
> From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
> Sent: Wednesday, May 23, 2012 9:54 AM
> To: users@maven.apache.org
> Subject: Re: How can I eliminate these embedded username and password
> entries?
>
> This has come up so often I wrote some blogs on it.
>
> http://blog.artifact-software.com/tech/?tag=jndi
>
> On 23/05/2012 9:05 AM, Barrie Treloar wrote:
>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
> wrote:
>>> This is an interesting topic of interest. We would like to do a similar
> thing with our DB passwords that are in our POMs. Are there any other
> options other than the ones described?
>> Search the archives.
>> External Resources used at Runtime (rather than build time) are either
>> stored in JNDI or in property files which are loaded on the classpath.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>>
>>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password entries?
Posted by Will Hoover <ja...@gmail.com>.
Great posts! Thank you! My only concern with the proposed solutions are the
following:
1) Remote resources, scripts, etc. are great for internal network
deployments (or "ships") such as web applications, but what about desktop or
mobile applications that are self contained?
2) Even with JNDI and other solutions... at some point the passwords still
reside in clear-text format, right?
BTW, I agree that this should be outside the scope of Maven
responsibilities. I'm just looking for input from other Maveneers and what
measures they have taken to tackle this issue :)
-----Original Message-----
From: Ron Wheeler [mailto:rwheeler@artifact-software.com]
Sent: Wednesday, May 23, 2012 9:54 AM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?
This has come up so often I wrote some blogs on it.
http://blog.artifact-software.com/tech/?tag=jndi
On 23/05/2012 9:05 AM, Barrie Treloar wrote:
> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com>
wrote:
>> This is an interesting topic of interest. We would like to do a similar
thing with our DB passwords that are in our POMs. Are there any other
options other than the ones described?
> Search the archives.
> External Resources used at Runtime (rather than build time) are either
> stored in JNDI or in property files which are loaded on the classpath.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Ron Wheeler <rw...@artifact-software.com>.
This has come up so often I wrote some blogs on it.
http://blog.artifact-software.com/tech/?tag=jndi
On 23/05/2012 9:05 AM, Barrie Treloar wrote:
> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<ja...@gmail.com> wrote:
>> This is an interesting topic of interest. We would like to do a similar thing with our DB passwords that are in our POMs. Are there any other options other than the ones described?
> Search the archives.
> External Resources used at Runtime (rather than build time) are either
> stored in JNDI or in property files which are loaded on the classpath.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
--
Ron Wheeler President Artifact Software Inc email:
rwheeler@artifact-software.com skype: ronaldmwheeler phone:
866-970-2435, ext 102
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Barrie Treloar <ba...@gmail.com>.
On Wed, May 23, 2012 at 10:23 PM, Will Hoover <ja...@gmail.com> wrote:
> This is an interesting topic of interest. We would like to do a similar thing with our DB passwords that are in our POMs. Are there any other options other than the ones described?
Search the archives.
External Resources used at Runtime (rather than build time) are either
stored in JNDI or in property files which are loaded on the classpath.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password entries?
Posted by Will Hoover <ja...@gmail.com>.
This is an interesting topic of interest. We would like to do a similar thing with our DB passwords that are in our POMs. Are there any other options other than the ones described?
-----Original Message-----
From: shaun.t.erickson@accenture.com [mailto:shaun.t.erickson@accenture.com]
Sent: Tuesday, May 22, 2012 7:49 PM
To: users@maven.apache.org
Subject: RE: How can I eliminate these embedded username and password entries?
Thank you for the suggestions, everyone. Based on them, I have done/will do this.
1) For now, I moved the three properties out of the POM files and into the settings.xml file. That at least keeps all the information in one file, should I wish to change it.
2) I will talk to our developers about using the maven-remote-resources-plugin as a better way to handle these resources. This would eliminate the need for those three properties.
3) I will look into encrypting the passwords in settings.xml.
Thank you for all your help. :)
-ste
-----Original Message-----
From: Evgeny Goldin [mailto:evgenyg@gmail.com]
Artifactory passwords stored in "settings.xml" can be further secured by switching to encrypted passwords:
http://wiki.jfrog.org/confluence/display/RTF/Centrally+Secure+Passwords
[snip]
________________________________
Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
----------------------------------------------
T ususcib, -mil uer-ususcib@mve.aace.rg
Fr ddtina cmmnd, -mil uer-hlpmaenapch.og
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password
entries?
Posted by sh...@accenture.com.
Thank you for the suggestions, everyone. Based on them, I have done/will do this.
1) For now, I moved the three properties out of the POM files and into the settings.xml file. That at least keeps all the information in one file, should I wish to change it.
2) I will talk to our developers about using the maven-remote-resources-plugin as a better way to handle these resources. This would eliminate the need for those three properties.
3) I will look into encrypting the passwords in settings.xml.
Thank you for all your help. :)
-ste
-----Original Message-----
From: Evgeny Goldin [mailto:evgenyg@gmail.com]
Artifactory passwords stored in "settings.xml" can be further secured by switching to encrypted passwords:
http://wiki.jfrog.org/confluence/display/RTF/Centrally+Secure+Passwords
[snip]
________________________________
Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
Re: How can I eliminate these embedded username and password entries?
Posted by Barrie Treloar <ba...@gmail.com>.
On Wed, May 23, 2012 at 12:16 PM, <sh...@accenture.com> wrote:
[del]
> I hope that as I learn, I'll ask smart questions and eventually be able to give back as you folks did tonight.
>
> Thanks! :)
Its good to get positive feedback.
I'll add the obligatory check out the freely available books at
http://maven.apache.org/articles.html
Which are probably targeted at developers, but there will be lots of
advice you will find useful.
I recommend you join forces with your configuration manager/controller
and read the books together.
There is lots of stuff that you should forcing on your dev teams to
keep them in check.
http://maven.apache.org/plugins/maven-enforcer-plugin/ is just one of them.
And if artifactory supports it you should be checking license usage of
third party libraries and locking down which versions your company are
willing to support.
Good luck.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password
entries?
Posted by sh...@accenture.com.
I realize I'm hijacking my own thread, but I really wanted to say this ...
I really appreciate the friendly and quick help I received on this list tonight. It really is appreciated, and my experience here is vastly different than on some other lists, where questions languish for days, if they are ever answered.
I mentioned that I'm not a developer, just the SysAdmin who has to support them. In order to better understand their work and needs, and to better understand the software I have to install and maintain on their behalf (Artifactory, Maven, etc.), and because we had no one else to support it, I recently took on maintenance of a small, but troubled, Java program that is crucial to our support infrastructure, here at work. It has taught me a lot about the basics of Java, JMS, Maven 3 and that, in turn, has helped me to understand how to properly set up a new Artifactory server for our developers and to resolve some Maven 2 issues they've been having. The more I learn, the better I can support them.
I hope that as I learn, I'll ask smart questions and eventually be able to give back as you folks did tonight.
Thanks! :)
-ste
-----Original Message-----
From: Erickson, Shaun T.
Thank you for the suggestions, everyone. [snip]
________________________________
Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Evgeny Goldin <ev...@gmail.com>.
Hi,
Artifactory passwords stored in "settings.xml" can be further secured by
switching to encrypted passwords:
http://wiki.jfrog.org/confluence/display/RTF/Centrally+Secure+Passwords
On Wed, May 23, 2012 at 1:30 AM, Barrie Treloar <ba...@gmail.com> wrote:
> On Wed, May 23, 2012 at 8:26 AM, <sh...@accenture.com> wrote:
> > Thanks for your quick reply.
> >
> > There are other processes that deploy those resources to our artifactory
> server. I'm okay with them being there, but want to eliminate the need to
> embed that login info.
> >
> > That info has to be in the settings.xml file, in the <server> sections,
> so that they can deploy to artifactory. Can I also define these properties
> in the settings file and have the POMs inherit them? Then the POMs would
> have the info they need, but I can keep the login info restricted to the
> one settings file.
>
> Someone else has also suggested a different way of obtaining those
> resources.
>
> But to answer your question, separating this into two parts "deploy"
> and "access" means, as you have said, the deploy bit can be in
> settings.xml server sections and the access bit in the pom.
> So the question is why do the values in the pom need credentials?
> Get rid of that requirements and your problem is solved.
>
> For future reference, when you want replaceable property values they
> go in profiles in your setttings.xml, see
> http://maven.apache.org/ref/3.0.4/maven-settings/settings.html
> Be very wary of creating a build process that is not repeatable.
> Profiles have been abused many times before.
>
> Barrie
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
Re: How can I eliminate these embedded username and password entries?
Posted by Barrie Treloar <ba...@gmail.com>.
On Wed, May 23, 2012 at 8:26 AM, <sh...@accenture.com> wrote:
> Thanks for your quick reply.
>
> There are other processes that deploy those resources to our artifactory server. I'm okay with them being there, but want to eliminate the need to embed that login info.
>
> That info has to be in the settings.xml file, in the <server> sections, so that they can deploy to artifactory. Can I also define these properties in the settings file and have the POMs inherit them? Then the POMs would have the info they need, but I can keep the login info restricted to the one settings file.
Someone else has also suggested a different way of obtaining those resources.
But to answer your question, separating this into two parts "deploy"
and "access" means, as you have said, the deploy bit can be in
settings.xml server sections and the access bit in the pom.
So the question is why do the values in the pom need credentials?
Get rid of that requirements and your problem is solved.
For future reference, when you want replaceable property values they
go in profiles in your setttings.xml, see
http://maven.apache.org/ref/3.0.4/maven-settings/settings.html
Be very wary of creating a build process that is not repeatable.
Profiles have been abused many times before.
Barrie
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
RE: How can I eliminate these embedded username and password
entries?
Posted by sh...@accenture.com.
Thanks for your quick reply.
There are other processes that deploy those resources to our artifactory server. I'm okay with them being there, but want to eliminate the need to embed that login info.
That info has to be in the settings.xml file, in the <server> sections, so that they can deploy to artifactory. Can I also define these properties in the settings file and have the POMs inherit them? Then the POMs would have the info they need, but I can keep the login info restricted to the one settings file.
-ste
-----Original Message-----
From: Barrie Treloar [mailto:baerrach@gmail.com]
On Wed, May 23, 2012 at 7:45 AM, <sh...@accenture.com> wrote:
> Caveat: I'm the SysAdmin in charge of our Artifactory server (to which
> I'm new), and not a developer, so my Maven knowledge is somewhat
> limited. I'm a fast learner though. :)
>
[del]
> Is there some other way of retrieving these resources from my artifactory server that doesn't require embedding the login information in their POM files?
>
> Thank you, in advance, for any guidance you might offer.
I would be providing access to those resources via an unprotected url, which is what I guess you are asking.
You might have better luck on an artifactory mailing list, or in manuals.
________________________________
Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Barrie Treloar <ba...@gmail.com>.
On Wed, May 23, 2012 at 7:45 AM, <sh...@accenture.com> wrote:
> Caveat: I'm the SysAdmin in charge of our Artifactory server (to which I'm new), and not a developer, so my Maven knowledge is somewhat limited. I'm a fast learner though. :)
>
[del]
> Is there some other way of retrieving these resources from my artifactory server that doesn't require embedding the login information in their POM files?
>
> Thank you, in advance, for any guidance you might offer.
I would be providing access to those resources via an unprotected url,
which is what I guess you are asking.
You might have better luck on an artifactory mailing list, or in manuals.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: How can I eliminate these embedded username and password entries?
Posted by Jesse Farinacci <ji...@gmail.com>.
Greetings,
On Tue, May 22, 2012 at 6:15 PM, <sh...@accenture.com> wrote:
> <get
> src="${artifactory-url}/libs-release-local/path/to/findbugs-filter.xml"
> <get
> src="${artifactory-url}/libs-release-local/path/to/checkstyle.xml"
> <get src="${artifactory-url}/libs-release-local/path/to/pmd-ruleset.xml"
I prefer to use m-remote-resources-p:bundle for this kind of thing.
So, you'd create a set of plain Maven modules, one for each of these
resources, and bundle them up into a standard Maven artifact. Then, in
your /project/build/plugins you'd m-remote-resources-p:process those
bundles; where you listed those previously bundled projects as plugin
dependencies.
http://maven.apache.org/plugins/maven-remote-resources-plugin/
-Jesse
--
There are 10 types of people in this world, those
that can read binary and those that can not.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org